Contents

Security Incidents

As an open computing environment with daily interaction with thousands of colleagues in partner institutions around the world, SDSC expects a small number of security incidents.

When a security incident occurs, SDSC will provide complete, timely notification to any third parties who may be impacted as soon as the incident can be confirmed and contact information can be obtained. SDSC will act promptly to investigate any reports of intrusions elsewhere that could impact SDSC.

SDSC will provide complete, timely notification of security incidents to designated security contacts at research groups within SDSC. Each research group is responsible for designating primary and secondary security contacts and maintaining up-to-date contact information with the Security group. SDSC will also notify users whose accounts or data were affected, or potenially affected, as soon as possible. Users are responsible for keeping their contact information with SDSC Technical Support Services up-to-date by submitting a Remedy ticket via staff.sdsc.edu when contact information changes.

SDSC Security will also notify UCSD-CIRT of security events at SDSC as required by UCSD policy.

SDSC will provide full disclosure of significant security incidents to sponsors once the initial response has stabilized the situation. Some sponsors, including the National Science Foundation, require timely disclosure of large incidents as well as a summary of the incident and the incident response in an annual report.

In general, the type, security, and extent of an incident will determine who is notified and when. At the discretion of SDSC Security, other groups on campus may be notified of incidents at SDSC, especially when they are reasonably believed to be targets for or vulnerable to the same or similar attacks.

As a science-focused organization, SDSC recognizes the value of public disclosure of security incidents in providing data on the general state of computer security. As such, SDSC will provide a report quarterly that summarizes the incidents we experienced.

Media

Queries from the press/media about incidents should be directed to the SDSC Communications and Public Relations Group (PR Group). SDSC staff should not answer questions from the press without coordination with the PR Group.

Questions about SDSC security in general should be directed to the SDSC Security Group.

Pursuant to California Civil Code Section 1978.80 - 1798.84 and UCSD policy, SDSC users will be notified of any personal data that was, or is believed to have been accessed or acquired by an unauthorized person. On behalf of SDSC, UCSD will notify owners of data as soon as possible after the system has been secured against further intrusion, unless law enforcement requests further delay.

California Public Records Act

Information stored at SDSC may be subject to release in response to requests made under the California Public Records Act.

Personal Information

Machines and networks at SDSC may be monitored by authorized personnel for operational and research purposes. SDSC complies with the UC Electronic Communications Policy (ECP) and does not disclose personal communication except as allowed in the UC ECP.